WHAT IS CLAIMED IS: 

1 . A method for intercepting a command sent to a manager program 
generated by a client program and determining whether said command is 
characteristic of a normal application program, the method comprising the 
5 steps of: 

intercepting said command; 

preventing the direct sending of said command from said client 
program to said manager program; 

performing an analysis upon said command; 
10 sending said command to said manager program if said analysis 

determines that said command is characteristic of a normal application 
program; and 

preventing said command from reaching said manager program if 
said analysis determines that said command is not characteristic of a 
15 normal application program; 

whereby said manager program is protected from commands that are 
sent from a client program that is under control of an attacker. 
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2. The method of claim 1 , further comprising the step of: 
permanently storing said command. 

3. The method of claim 1 , further comprising: 

alerting an administrator through a notification channel if said 
5 analysis determines that said command is not characteristic of a normal 
application program. 

4. The method of claim 1 , further comprising: 

storing normal patterns that correspond to commands generated by 
said normal application programs; 
10 said analyzing step comprises: 

determining whether said command corresponds to any of said stored 
patterns, and 

determining whether said command is characteristic of a normal 
application program if said analysis determines that said command 
15 corresponds to any of said stored patterns. 

5. The method of claim 1 , further comprising: 

storing attacker patterns that correspond to commands generated by 

a client program that is under control of an attacker, 
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said analyzing step comprises: 

determining whether said command corresponds to said stored 
attacker patterns, and 

determining that said command is not characteristic of a normal 
application program if said analysis determines that said command 
corresponds to any of said attacker patterns. 

6. The method of claim 1 , wherein: 

said manager program is a database manager. 

7. The method of claim 6, wherein: 

said command is a Structured Query Language query. 

8. An application firewall program for intercepting a command sent 
from a client program to a manager program and determining whether 
said command is characteristic of a normal application program, 
comprising: 

a preventor step to prevent the direct sending of said command from 

said client program to said manager program; 

an analysis step whereby said command is analyzed to determine if it 

is characteristic of a normal application program; and 
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a forwarding step in which said command is sent to said manager 
program provided said analysis determines that said command is 
characteristic of a normal program; and 

a prevention step in which commands that are not characteristic of a 
5 normal application program are prevented from reaching said manager 
program. 

9. The application firewall program of claim 8 further comprising: 
data storage. 

1 0. An application firewall machine comprising: 

10 a first network interface coupling said firewall machine to a client 

computer via a first network segment; 

a second network interface coupling said firewall machine to a 

manager computer via a second network segment; 

a communications manager coupled to said first and second network 

15 interfaces, said communications manager being operable to read and 

write data to said first and second network segments via the 

corresponding first and second network interfaces, said communications 

manager being further operable to not permit direct passage of network 

Page 94 of 99 



communications across the network interfaces, and operable to send data 
to said manager computer when analysis determines that data coming 
from said client computer contains a command that is characteristic of a 
normal program; and 
5 a command processor to process said data to identify commands that 

are being passed as requests from said client computer to said manager 
computer, and 

a command analyzer to analyze said commands to determine if said 
commands are characteristic of a normal application program. 
10 11. An application firewall machine in accordance with claim 1 0 wherein: 
said client machine comprises a database client program, said 
database client program being operable to generate commands that are 
directed to said manager machine; and 

said manager machine comprises a database manager program, said 
15 database manager program receiving commands sent by said client 
machine. 

1 2. An application firewall machine in accordance with claim 1 1 wherein 

said commands are SQL commands; 

Page 95 of 99 



said client machine comprises a database client program generating 
said SQL commands directed to said manager machine; and 

said manager machine comprises a database manager program 
capable of receiving said SQL commands. 
5 13. An application firewall machine in accordance with claim 1 0 further 
comprising: 

a data storage manager. 
1 4. An application firewall machine in accordance with claim 1 3 wherein: 
said storage manager comprise stored data representing invalid 
10 commands that said client computer should never generate and which are 
indicative of attack; and 

said command analyzer utilizes said data representing invalid 
commands. 

1 5. An application firewall machine in accordance with claim 1 3 wherein: 

15 said storage manager comprise stored data which represents only 

normal commands that said client computer should generate; and 

said command analyzer utilizes said stored data. 

1 6. An application firewall machine in accordance with claim 1 3 wherein: 
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said storage manager comprises an SQL database manager. 
1 7. An application firewall machine in accordance with claim 1 3 wherein: 

said storage manager comprises an indexed file system storage. 
1 8. An application firewall machine in accordance with claim 1 3 wherein: 
5 said storage manager comprises a file system storage. 

1 9. An application firewall machine in accordance with claim 1 3 wherein: 
said storage manager comprises distributed file system storage. 

20. An application firewall machine in accordance with claim 10, further 
comprising: 

10 an alerting interface operable to alerts an administrator through a 

notification channel, if said analysis determines that said command is not 

characteristic of a normal application program; 

whereby the alert allows the administrator to initiate a course of 

action that further protects said manager, if said analysis determines that 
15 said command is not characteristic of a normal application program, said 

alerting interface 

21 . An application firewall machine in accordance with claim 1 7 
wherein: 
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said alerting interface may send information about said attack to a 
destination selected from the group consisting of an SMTP servers, SNMP 
managers, system log files, and wireless pager notification. 
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